api: add API level 6

API level 6 allows callers to use both the TSYNC and notify APIs at
the same time.  This is due to the TSYNC_ESRCH flag which was added
in Linux v5.7.

This patch also fixes some omissions in seccomp_api_set().

Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

7 files changed, 209 insertions, 5 deletions

diff --git a/tests/.gitignore b/tests/.gitignore
index 59eb15c..1929840 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -63,3 +63,4 @@ util.pyc
 55-basic-pfc_binary_tree
 56-basic-iterate_syscalls
 57-basic-rawsysrc
+58-live-tsync_notify
diff --git a/tests/39-basic-api_level.c b/tests/39-basic-api_level.c
index 72801b5..6c31be1 100644
--- a/tests/39-basic-api_level.c
+++ b/tests/39-basic-api_level.c
@@ -68,13 +68,20 @@ int main(int argc, char *argv[])
 	if (api != 5)
 		return -11;
 
+	rc = seccomp_api_set(6);
+	if (rc != 0)
+		return -12;
+	api = seccomp_api_get();
+	if (api != 6)
+		return -13;
+
 	/* Attempt to set a high, invalid API level */
 	rc = seccomp_api_set(1024);
 	if (rc != -EINVAL)
 		return -1001;
 	/* Ensure that the previously set API level didn't change */
 	api = seccomp_api_get();
-	if (api != 5)
+	if (api != 6)
 		return -1002;
 
 	return 0;
diff --git a/tests/39-basic-api_level.py b/tests/39-basic-api_level.py
index 755ca02..352568e 100755
--- a/tests/39-basic-api_level.py
+++ b/tests/39-basic-api_level.py
@@ -60,6 +60,11 @@ def test():
     if api != 5:
         raise RuntimeError("Failed getting API level 5")
 
+    set_api(6)
+    api = get_api()
+    if api != 6:
+        raise RuntimeError("Failed getting API level 6")
+
     # Attempt to set a high, invalid API level
     try:
         set_api(1024)
@@ -69,7 +74,7 @@ def test():
         raise RuntimeError("Missing failure when setting invalid API level")
     # Ensure that the previously set API level didn't change
     api = get_api()
-    if api != 5:
+    if api != 6:
         raise RuntimeError("Failed getting old API level after setting an invalid API level")
 
 test()
diff --git a/tests/58-live-tsync_notify.c b/tests/58-live-tsync_notify.c
new file mode 100644
index 0000000..86e1b0c
--- /dev/null
+++ b/tests/58-live-tsync_notify.c
@@ -0,0 +1,116 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include <seccomp.h>
+#include <signal.h>
+#include <syscall.h>
+#include <errno.h>
+#include <stdlib.h>
+
+#include "util.h"
+
+#define MAGIC 0x1122334455667788UL
+
+int main(int argc, char *argv[])
+{
+	int rc, fd = -1, status;
+	struct seccomp_notif *req = NULL;
+	struct seccomp_notif_resp *resp = NULL;
+	scmp_filter_ctx ctx = NULL;
+	pid_t pid = 0;
+
+	ctx = seccomp_init(SCMP_ACT_ALLOW);
+	if (ctx == NULL)
+		return ENOMEM;
+
+	rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
+	if (rc)
+		goto out;
+
+	rc = seccomp_rule_add(ctx, SCMP_ACT_NOTIFY, SCMP_SYS(getpid), 0, NULL);
+	if (rc)
+		goto out;
+
+	rc  = seccomp_load(ctx);
+	if (rc < 0)
+		goto out;
+
+	rc = seccomp_notify_fd(ctx);
+	if (rc < 0)
+		goto out;
+	fd = rc;
+
+	pid = fork();
+	if (pid == 0)
+		exit(syscall(SCMP_SYS(getpid)) != MAGIC);
+
+	rc = seccomp_notify_alloc(&req, &resp);
+	if (rc)
+		goto out;
+
+	rc = seccomp_notify_receive(fd, req);
+	if (rc)
+		goto out;
+	if (req->data.nr != SCMP_SYS(getpid)) {
+		rc = -EFAULT;
+		goto out;
+	}
+	rc = seccomp_notify_id_valid(fd, req->id);
+	if (rc)
+		goto out;
+
+	resp->id = req->id;
+	resp->val = MAGIC;
+	resp->error = 0;
+	resp->flags = 0;
+	rc = seccomp_notify_respond(fd, resp);
+	if (rc)
+		goto out;
+
+	if (waitpid(pid, &status, 0) != pid) {
+		rc = -EFAULT;
+		goto out;
+	}
+
+	if (!WIFEXITED(status)) {
+		rc = -EFAULT;
+		goto out;
+	}
+	if (WEXITSTATUS(status)) {
+		rc = -EFAULT;
+		goto out;
+	}
+
+out:
+	if (fd >= 0)
+		close(fd);
+	if (pid)
+		kill(pid, SIGKILL);
+	seccomp_notify_free(req, resp);
+	seccomp_release(ctx);
+
+	if (rc != 0)
+		return (rc < 0 ? -rc : rc);
+	return 160;
+}
diff --git a/tests/58-live-tsync_notify.py b/tests/58-live-tsync_notify.py
new file mode 100755
index 0000000..ae01b06
--- /dev/null
+++ b/tests/58-live-tsync_notify.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import os
+import signal
+import sys
+
+import util
+
+from seccomp import *
+
+def test():
+    magic = os.getuid() + 1
+    f = SyscallFilter(ALLOW)
+    f.set_attr(Attr.CTL_TSYNC, 1)
+    f.add_rule(NOTIFY, "getuid")
+    f.load()
+    pid = os.fork()
+    if pid == 0:
+        val = os.getuid()
+        if val != magic:
+            raise RuntimeError("Response return value failed")
+            quit(1)
+        quit(0)
+    else:
+        notify = f.receive_notify()
+        if notify.syscall != resolve_syscall(Arch(), "getuid"):
+            raise RuntimeError("Notification failed")
+        f.respond_notify(NotificationResponse(notify, magic, 0, 0))
+        wpid, rc = os.waitpid(pid, 0)
+        if os.WIFEXITED(rc) == 0:
+            raise RuntimeError("Child process error")
+        if os.WEXITSTATUS(rc) != 0:
+            raise RuntimeError("Child process error")
+        quit(160)
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/58-live-tsync_notify.tests b/tests/58-live-tsync_notify.tests
new file mode 100644
index 0000000..6c84891
--- /dev/null
+++ b/tests/58-live-tsync_notify.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2019 Cisco Systems, Inc. <pmoore2@cisco.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: live
+
+# Testname		API	Result
+58-live-tsync_notify	6	ALLOW
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 1765eec..ddacbf3 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -96,7 +96,8 @@ check_PROGRAMS = \
 	54-live-binary_tree \
 	55-basic-pfc_binary_tree \
 	56-basic-iterate_syscalls \
-	57-basic-rawsysrc
+	57-basic-rawsysrc \
+	58-live-tsync_notify
 
 EXTRA_DIST_TESTPYTHON = \
 	util.py \
@@ -153,7 +154,8 @@ EXTRA_DIST_TESTPYTHON = \
 	52-basic-load.py \
 	53-sim-binary_tree.py \
 	54-live-binary_tree.py \
-	56-basic-iterate_syscalls.py
+	56-basic-iterate_syscalls.py \
+	58-live-tsync_notify.py
 
 EXTRA_DIST_TESTCFGS = \
 	01-sim-allow.tests \
@@ -212,7 +214,8 @@ EXTRA_DIST_TESTCFGS = \
 	54-live-binary_tree.tests \
 	55-basic-pfc_binary_tree.tests \
 	56-basic-iterate_syscalls.tests \
-	57-basic-rawsysrc.tests
+	57-basic-rawsysrc.tests \
+	58-live-tsync_notify.tests
 
 EXTRA_DIST_TESTSCRIPTS = \
 	38-basic-pfc_coverage.sh 38-basic-pfc_coverage.pfc \